The latest update of Google Maps is unavailable in my country, so I downloaded a version by googling for "Google Maps 5.4.0 apk". I did in fact find it, but now I wonder how I can tell if this is in fact the same version as in the market. How can I be sure that it hasn't been tampered with?

Are apps signed in any way? Is there any way of checking the signatures?

If you visit, from your mobile, the page: m.google.com/maps, does it offer you a download link or something alike?
–
NicolásMay 14 '11 at 16:23

@Nicolás: It links to the market, from which I can't download it.
–
Nathan FellmanMay 14 '11 at 16:29

Not surprising coming from google. By the way, and I know I'm not answering your original question, but have you tested MapDroyd?
–
NicolásMay 14 '11 at 16:38

@Nicolás: I haven't, and I actually use Waze for my day to day navigation. Google Maps is just an example. Google Books is another example, Google Streetview yet another (in fact it looks like only Google apps give me this trouble...)
–
Nathan FellmanMay 14 '11 at 16:52

1 Answer
1

Sidestepping the debate over the legitimacy of installing that app on your phone, the question of verification is one that I've been meaning to understand for a while, and you've prompted me to try to figure out a possible way of verifying who signed an apk.

Android apps are signed in the normal manner of .jar files (.apk is really just a special .jar which is just a special .zip) however it may not be trivial to trace the authenticity of the certificates unless you have something known good to compare to. That's basically what the phone itself does - verifies that something that claims to be from the same party as something already on the phone actually is - the phone doesn't refuse to install things with unknown signers, it can only (object to/clear application data of) apparent forgeries when something new doesn't match something old that it claims to.

You will need to have jarsigner and keytool. I believe these come from the JDK which is a prerequisite to the android SDK rather than the SDK itself.

First you want try to verify the public key contained within the .apk. Usually this is in META-INF/CERTS.RSA but it can be in another file - unzip -l will tell you. You want to see what you can find out about it:

unzip -p suspect.apk META-INF/CERT.RSA | keytool -printcert

That's going to dump out a lot of information about who the signer claims to be. Some certificates are apparently themselves signed by known parties, but without figuring out how to trace that, I suspect you could do something like this:

If you have a known trusted apk from the same author who used the same certificate. I'm assuming that the certificates having the same MD5 sum is enough.

Assuming you've decided to trust the certificate, then you can see if it has been used to sign each of the files within the .apk

jarsigner -verbose -verify suspect.apk

(If there's more than one .RSA file in the archive, you should add the -certs flag to tell you which certificate(s) have been used to sign each file, so you can be sure its the certificate you verified)